Tip: Scan Windows Applications for Security Bugs

How do you keep your (or a family member's) Windows PC/Laptop secure? Most of the time, the first answer to that question is to ensure that all security updates have been installed. Windows downloads updates automatically in the background for the operating system, but many users neglect ensuring that third-party software is updated, which can present a big risk to security and privacy.

There are many ways to check if third-party software is updated and safe. One such solution is an application called Secunia PSI (Personal Software Inspector). If you have used this application before, then you know how useful it can be. If not, you should try it on your system or a system you are cleaning/repairing.

Why update third party apps?

Third party applications (media players, word processing/office software, web browsers & plug-ins, etc.) are often found to be vulnerable to attack. Web browsers and their third-party plug-ins are well known as a source of malware infection in Windows. Sometimes, just visiting a specially crafted webpage can trigger an exploit that could lead to a PC's security being completely compromised. Sometimes these vulnerabilities can make news on tech sites like AfterDawn, but many (most...) will be under the radar and might pose a threat to your system's security.

Therefore, it is recommended that you keep your third-party applications up to date, and be aware of security issues that affect your installed software to the best of your ability.

Secunia PSI v2.0

Secunia PSI v2.0 (pictured) is a useful tool that can help you keep software up to date. It will probe third-party software on your system to check for version information, and then compare that information to an online database. The database contains information on vulnerabilities that affect versions of specific software, and on patches (if any) that have been distributed by the vendor.

It will also alert you if software you have installed has reached its "End-of-Life" phase. This could mean that the software itself is no longer developed and/or supported altogether, or that a major version change has occurred (such as a program chaning from v2.xx to v3.xx) where no more support will be provided for older versions.

Secunia PSI will also examine your operating system to check if all the latest major updates have been installed. It has the ability (if you allow it) to update many tools/plugins automatically in the background, and to monitor program changes as you install/uninstall software on your system.

NOTE: While Secunia PSI 3.0 has been released, this mini-guide is based on Secunia PSI v2.0. There are many reasons for this decision, but the main reason is that v3.0 seems to lose some of the better abilities / features of v2.0. I know it is ironic that this piece is written about keeping software up-to-date by using an out-of-date version of an application, but Secunia PSI v2.0 is secure for use. I would suggest that you try v2.0 first as I direct here, and you can check out v3.0 later on and see if you want to keep the update. Major changed may have occurred in Secunia v3.0+ since this was written also.

Install and Run

Download Secunia PSI v2.0.0.4003 from the link above. During the installation you will be asked whether you want to install updates automatically.

When the setup is complete, you will be able to run the application right away. As soon as it runs, it may take some time to loan up properly, and it will carry out a scan of third party applications on the system right away. You should see the scan results immediately, but if not, you can click on "Scan Results" in the left pane.

Secunia PSI - Scan Results

Secunia PSI will list all the applications that it found and which it supports. The vast majority of all will show a Program State of "patched". This does not mean that these apps are definitely up to date though; instead it means that there has been no update with security fixes since that version. Secunia PSI is not a tool to track the all updates of application, it is only intended to track updates with security fixes and to flag those on your system which are vulnerable.

In the list of results shown above, you will also notice that Secunia PSI says Windows 7 is insecure. This is because I intentionally neglected to install this month's patches from Microsoft. Some results, such as Java, Flash and even Microsoft Updates may be automatically updated by Secunia PSI (if you agreed to that in the Setup), but most third-party updates will need your intervention.

Secunia PSI will show more detailed information if you double-click on any of the results. In the image above, Secunia PSI flags the installed version of the Daemon Tools software, and then tells me the latest update from the vendor that included at least one security fix. Remember, this does not mean that the update Secunia PSI recommends is the latest for any given software, it's just the latest one with security fixes.

Clicking "Install solution" will direct you to a download of the latest version with security fixes, but you might want to manually go to the vendors website and search out the absolute latest download, which itself will be secure too.

Sometimes Secunia PSI offers no solution at all for a problem. This simply means that the vendor has not addressed the problem yet, and so you should be extra careful when using that application.

The image above shows another important thing to remember about Secunia PSI. If there are multiple instances of the same software on your system, then Secunia PSI will list them all, even if they are the exact same program version.

In the example picture, Secunia PSI flags VLC media player 0.x as being at the "End-of-Life" state. I have already installed the latest VLC Media Player some time ago, so why is this listed? Well, pay attention to the path to the VLC executable file.

What Secunia PSI has found is a version of VLC that was bundled with the Gmote Server application, which is a tool that lets you use your Android phone to launch movies, music or to control the Desktop of a Windows PC. So while I have the latest version of VLC installed, Secunia PSI still found this portable version used with another application and flagged it as End-of-Life.

The program will detect a lot of portable applications in this way. You can even use it, as I do, to scan a USB key which includes numerous portable apps (portable Firefox or security tools, etc), since it examines individual executable and DLL files.

Secunia PSI - Secure Browsing

Another good feature in Secunia PSI 2.0 is "Secure Browsing." Before I explain what it is, first you have to enable it. In the left pane of Secunia PSI, click Configuration, and then click Settings. In Settings, you will see an option to "Enable Secure Browsing Page," and several other options you might be interested in. When you check the box beside this option, "Secure Browsing" will appear under scan results in the left pane.

Click it.

Now, Secunia PSI does not offer a secure browser, and it does not protect your browser in any way. However, if you have multiple browsers installed, this feature can be useful. It will check your installed browsers, and their plug-ins, to see if they are secure or not. Why put this extra feature in here instead of just adding this to the main results?

The problem is that vulnerabilities in web browsers aren't always fixed immediately. While this is true for most other software too, web browsers are far more vulnerable because their entire purpose is to retrieve information from the Internet. For this reason, holes in web browsers and browser plug-ins are responsible for a huge share of all malware infections and similar nasty consequences on Windows PCs, particularly Windows XP.

The Secure Browsing page in Secunia PSI is there to tell you if your browser is secure or not, and more specifically what part of it is not secure. If you look at the example pic above (click to enlarge if you need to), you will notice that my Chrome and Internet Explorer 9 browsers are vulnerable to attack due to Adobe Flash and Java, but at this time there is "no vendor solution."

The idea is that if one browser is insecure, use another one until the vendor has patched the problem. In this case, both browsers on my system are insecure but at least I know what is insecure. I can disable both Java and Flash if I want to feel more secure in the browser settings. Again, the reason web browsers are singled out is because they are also singled out by cybercriminals and malware authors.

Vulnerabilities that affect media players may require you to open a crafted media file, and vulnerabilities that affect Office software might exploit a flaw in how a document is rendered by the application. In both cases, you need to actually receive the malicious file and open it yourself. With web browsers, it is often the case that you only need to click a malicious link, so the attack vector is far more attractive to criminals, and they do put a considerable amount of resources into finding bugs to exploit.

Conclusion

Secunia PSI is not perfect. Sometimes it might give an inaccurate result, and as I mentioned, it does not link you always to the absolute latest version of software. Still, it is good to know if something on your system is vulnerable, so that you can take whatever action you wish to take later. The newer version of Secunia PSI, v3.0, is more simplistic in appearance but seems to offer much less detail and usability as v2.0, which continues to work just fine.

Originally posted by ddp: didn't work for me even after i updated adobe flashplayer which it said was outdated. also would not open even from the tray or all programs.

There is an issue with secunia, in that you can't just update the program to fix the security issue. there are some files it doesn't like from before, like .dll extensions. after you update and it still has an issue, double click on the file it has an issue with, and follow it's directory. Remove those troublesome files and rescan, and you'll see it doesn't have an issue typically. You could always completely remove/uninstall the old version, that may be a simpler solution.

the program itself does not work properly as i try to open it, it appears then disappears so i uninstalled it. i'm usually up to date especially drivers from chipset manufacturers not motherboard\card manufacturers.

So it didn't minimize to your taskbar after opening? I wonder if the specs are different on your computer than mine. Maybe they have to fix the current version to work with computers like yours. I haven't messed with chipset and motherboard drivers. If you are interested in trying the program out and are looking for a solution, sign up for the community forum. You could also sign up for the newsletter telling you about the latest security issues you could probably take care of yourself.

This message has been edited since its posting. Latest edit was made on 01 Jul 2012 @ 23:46

Originally posted by ddp: was in taskbar but would not open up except to show errors found. running xp pro sp3 intel dualcore 3.2ghz, 2gig ram, ie8 & nvidia geforce 7600gt. don't really the program as i stated above.

Strange, never noticed a problem like this before on any system I tried it on. The only issue I've seen with it is sometimes it can take a while to appear but never fail to print the GUI for me. Maybe it's a bug they fixed in 3.0.

I've used Secunia for years from v1.x to 2.x -- tried the recently-released v3.x but almost immediately uninstalled it and reinstalled v2.x because of the atrocious UI and dumbed-down approach the app had taken. I'll stick with v2.x.

I use another excellent updater program named FileHippo in tandem with Secunia (http://www.filehippo.com/). It runs at every boot-up and checks a wide variety of apps, and so the frequency is greater than the weekly Secunia scans since I typically shut down my computers each night.

I also subscribe to Brian Krebs' excellent newsletter (http://krebsonsecurity.com/) and he provides very timely notices of security issues for many different things, including releases of any fix or update for Java, Flash, etc.